Introduction to Tehama

If you read only one page before getting started with Tehama Privileged Service Management, read this one.

First a few key concepts

See the Glossary for more information, but do that later.


This one is simple. Everyone with a login ID is a user. Once you are invited you will be asked to complete your personal profile as one of the first steps.

Organization and Member

Organizations are the main account concept. An organization is generally created by and maps to a single service consumer organization or an IT provider organization. Large enterprises may want to create more than one organization in order to have separate billing but let's not worry about that for now.

Organizations have a set of Members. These are users that have been invited and are trusted by the organization. Each member is given a role of either "Administrator", "Manager" or "Staff". This role designation controls what they can do on behalf of the Organization. A member's role can be changed as circumstances require.

An organization has only one member with the "Administrator" role. This member is known as the "organization owner". The organization owner has full responsibility and control over the resources utilized by the Organization. The first person from your organization/company to be invited creates both the organization account and a user account and automatically becomes the organization owner. The organization owner can "step down" by selecting a new owner from the Managers. (The old owner becomes a manager.)

An organization can have multiple "Managers", invited by the organization owner (the member with the Administrator role). These members can perform most of the actions that an organization owner can, exceptions including visibility of organization usage and webhook administration.

All other members in an organization are "Staff" members, invited by the organization owner or one of the "Managers".

An organization owns, controls and/or uses Rooms in Tehama.


A Room is the main concept enabling Tehama Privileged Service Management. It enables an organization to easily create a secure and audited virtual private extension of a network in which remote people work. We sometimes call this a whiteroom since it's a good analogy.

A Room is connected to a network, either a private network or a public network (e.g. resources in the cloud). More on this later.

A Room is a container with a set of tools and services running within it. Examples of these include Desktops, Firewall Rules, Secrets Vault, File Vault, App Vault and Auditing Applications. The only way the services and tools can discover the resources available, is through the connection the Room provides.

An organization can have the following relationships to a Room. The first is "owner" which means they've agreed to pay for the Room and have control over what services/tools are provisioned into the Room. The second is "connected" which means they control which other organizations and which members have access to the Room and what assets are accessible through this Room. The third is "use" which allows them to request that particular Members from their organization be granted access.

Why this complexity? In short, to separate access control that always belongs to the organization connected to the Room, from control over the provisioned services/tools in the Room. A typical use case is that it allows the service provider organization to control the infrastructure available in the Room by paying for it (being the owner) yet still gives full access control to the connected service consumer organization.

As we mentioned earlier, a Room is connected to a network. For private networks, this connection is established by installing a Tehama Gateway (at least one and optionally two if you go for the 'Multiple Gateways' option) somewhere in the infrastructure of the network being connected to that works in conjunction with a Tehama Gateway Service running in the Room. (For access to resources in the cloud, a Tehama Gateway is not required. This kind of network access is referred to as 'Internet Only'.) The "connected" organization has to configure access to the network using the user interfaces into the Room's firewall rules and secrets vault to configure a list of access rules, passwords, secrets, services, ... . (Firewalls in private networks must be opened up sufficiently for connectivity to the Tehama Gateway Service to be established.)

Organization - Members - Room

Now that you understand the key concepts, let's Get Started!